Ubuntu Linux

[Slice of Life]

Quote:

Originally Posted by Epyon9283

Just being open source doesn't mean the code for an app has been reviewed at all by anyone.

... let alone sufficiently so. Yes, yes, YES. That's what I'm saying. Why do you repeat my whole story?

Quote:

Originally Posted by Epyon9283

You shouldn't put passwords into closed source apps?

Yes, of course you shouldn't. Why should that application need my password anyway? This is highly dubious. Especially if the application comes from some shady place.

[Epyon9283]

Quote:

Originally Posted by Slice of Life

Yes, of course you shouldn't. Why should that application need my password anyway? This is highly dubious. Especially if the application comes from some shady place.

Do you have a gmail, yahoo, or msn account? Have you ever used an ATM to withdraw money from your bank account? Do you do any online banking? Do you use Opera, IE, or Safari to do any web browsing? Do you use Skype? If so, you entered passwords into closed source systems. Just because an application is closed source does not mean it is inherently more dangerous than an open source application. Especially if you're unwilling or unable to review the code yourself.

If you're getting your applications from shady locations on the Internet it doesn't matter if they're open or closed source. I could release "Epyon's super-cool Firefox build" and put code in to steal passwords. If people download the binaries from me they're not going to necessarily know what I've done to the software.

[Slice of Life]

Quote:

Originally Posted by Epyon9283

Do you have a gmail, yahoo, or msn account? Have you ever used an ATM to withdraw money from your bank account? Do you do any online banking? Do you use Opera, IE, or Safari to do any web browsing? Do you use Skype? If so, you entered passwords into closed source systems. Just because an application is closed source does not mean it is inherently more dangerous than an open source application. Especially if you're unwilling or unable to review the code yourself.

If you're getting your applications from shady locations on the Internet it doesn't matter if they're open or closed source. I could release "Epyon's super-cool Firefox build" and put code in to steal passwords. If people download the binaries from me they're not going to necessarily know what I've done to the software.

Ledgem talked about his "administrator credentials" and that's also what I'm talking about. That is, I'm talking about the PCs and dedicated hosts I have root access to and the very passwords to get access there (as root or normal user). Not about passwords for mailboxes or forums or anything else that either isn't really relevant to my privacy (you'd already have a hard time finding out my real name peeking into my several yahoo mail accounts) or systems other people have the responsibility (and strong interest!) to take care of, like ATMs. I don't want your exotic super-cool Epyon stuff especially not as binaries. I can't exclude the possibility that my new mplayer version or any other widely used stuff contains a root-kit or w/e because the developer decided to become an evil mastermind but the chance is very small and the chance that I'd notice during compiling/installing is high enough. And I'd be really surprised if the newly built mplayer suddenly asked for my password. The programs I give my root password are called su and ssh.

No matter how debian screws up from time to time, packages from the big distributors are much safer than some closed source program from youcantotallytrustus.ru that I repeat it again, even asks for my password! Or wants to run with root permissions or whatever. No system is 100 percent secure but just because you can in principle break the lock at my door doesn't mean that I deposit my cash on my lawn rightaway.

[Epyon9283]

Why would anyone give up their password to some random application asking for it? What does that have to do with open vs closed source? If I installed firefox via apt-get or yum or whatever package manager I'm using and it asked for my password when I started it I'd be very concerned. Firefox doesn't need my password. If I downloaded some random app from some .ru or .cn domain I wouldn't give up my password if prompted.

[Slice of Life]

*sigh* Look at the thread. Ledgem said. "In the situation I'm imagining, suppose that you're trying to install software. You'll need to enter your administrator credentials to do this. But what if the program actively stores the login and password information and either uses this for a malicious purpose or sends it to a malicious third party. [...] I except WanderingKnight to remark about how open source software is superior for this concern"

Obviously, you have to enter your root password somewhere to install software (system-wide at least), this somewhere being e.g. su. But if you need to enter it into closed software at some point during the install/setup process then something is fishy. This might be obvious to you. But Ledgem asked and I answered, playfully taking up his remark about WK. And in the main part I even said that one can't blindly trust open source to be safe either. So I don't really understand why you started this holy war about open source/closed source or thought I wanted to start one. Maybe we two can agree that a Linux user should avoid closed source as much as possible and not use it for anything security relevant. And maybe we two can stop spamming this thread.

[grey_moon]

Going to take a technology solution stance on Ledgem's post.

Personally if I was worried about running an app that required elevated rights I would look into sudo and creating a user with just enough rights to do the job. Then I would use AppArmour to limit that app to only be able to access what it requires.

Now if it requires root rights, I would create a VM and use it in that.

In regards to putting in a password to install an app. The password is handled by the installation app; be it synaptic, apt etc etc. Now ofc the app you are installing could be a trojan, but this has already been covered....

[Epyon9283]

I didn't intend to start any kind of "holy war" I just thought it was odd to trust open source over closed when the source code of the open source app may not necessarily have been reviewed by anyone. I think that in general large open source apps are pretty safe since they probably have quite a few people looking at the code and to slip something malicious in would be difficult.

Ledgem's original comment regarding password theft doesn't really make sense. If you're concerned about a software installation procedure (whether it be through the package manager, an install script or a "make install") stealing your password when you go to elevate privileges to install it, you're worried about the wrong thing. Why would it bother stealing your password when you already gave it root privileges? You forfeited any kind of protection when you did that. Anything you run with root privileges has free reign over the system.

[Slice of Life]

Quote:

just thought it was odd to trust open source over closed

So you think "might not necessarily have been reviewed by anyone" is the same as "cannot be reviewed in principle". Can we at least agree to disagree here? It's the same as with traditional and electronic voting. With paper ballots they can still manipulate the votes if nobody pays attention but it's much more risky and harder.

The point with installing open software is you don't have to review 100,000 lines of code as long as you at least look into the makefile before the final installation step. Just moving stuff to /usr/local/ won't take over your system. Yes, there are always risks. It might still be able to exploit some bug to gain root privileges even when being run as normal user. But it's still much safer than downloading some binary backbox that opens a window prompting you "for installation type in root password:" or tells you "run './gizmo --install' as root". Which was what Legdem was thinking about if I got him correctly.

You won't get 100 percent security in any case. But that doesn't mean there's no need to care at all anymore "because there's no difference anyway".

[WanderingKnight]

The same as software isn't ever bug-free, computers are never secure. Seeking 100% effectiveness in any of both fields is going to lead you nowhere.

It's not hard for anyone with moderate knowledge about computers and software to realize that.

[grey_moon]

Upgrading my test boxes to 8.10 and then tonight I'm going to install it onto my EeePC...

I'm so excited

[IRJustman]

I still haven't updated my desktop box yet (I rarely even use it given space and electricity constraints where I presently live), and it's been through multiple iterations since... oh... Breezy, IIRP. I'm just concerned about the amount of "cruft" which has accumulated on that box over the many years I've had that installed for reliability reasons.

Anyway, I used KDE 4.1.2 on my server; I'm still not too thrilled with it, but it felt a bit better than what was in Hardy Heron, and nearly as good as 3.5.10 which I prefer anyway. I could get used to it, maybe. I guess we'll see.

--Ian.

[IRJustman]

Has anyone played with NetBSD's pkgsrc collection? It is similar to (and actually based upon an older version of) FreeBSD's ports collection, so if you've ever used any of the BSD systems, you'll know somewhat how this works.

However, the big difference is that the NetBSD pkgsrc collection is NOT platform-specific, BSD or otherwise (even works under Windows using Microsoft's Services For Unix, a.k.a. "Interix").

Though the main issue I'm running into is that on any of my Linux systems, I can't get the latest version's bootstrap script to properly run. It dies on an undefined ARG_MAX macro. I posted a report to the pkgsrc-users list at NetBSD to see if anyone's experienced something similar. I've confirmed this under Intrepid Ibex and Fedora 9.

--Ian.

[IRJustman]

Quote:

Originally Posted by IRJustman

Though the main issue I'm running into is that on any of my Linux systems, I can't get the latest version's bootstrap script to properly run. It dies on an undefined ARG_MAX macro. I posted a report to the pkgsrc-users list at NetBSD to see if anyone's experienced something similar. I've confirmed this under Intrepid Ibex and Fedora 9.

Actually, I found patches to fix this one. Now, the problem is that Ubuntu errors out again and Fedora 9 goes into Lala Land when it checks the compiler type as part of a configure script to build one of the packaging tools.

Will keep you guys updated on this one.

--Ian.

[Green²]

Tried updating to 8.10 (i386) through the update manager, and the update installation failed hard for me. Probably a Nvidia video driver bug in my case. I'm going to go back to 8.04, and will probably give 8.10 another try next year.

[martino]

Well, I tried 8.10 as well. It worked, but very strangely. My system locale now seems to be a strange mix of Japanese, English and Slovak (all languages which I had installed keyboard support for, but only used English for the system locale), which makes it rather impossible for me to be able change something, given that most of it is in Japanese and I have very little clue about what it means... Other strange things like ALSA hanging up when rebooting (need to power off the PC by force) and some icons missing in System Settings (unless that is a new feature of KDE4 >_>). WLAN not working, as expected, and I haven't been able to start their new network manager with root privileges in order to change the settings... Audio hasn't been tested either, my guess is that it's been butchered too... :<

I think I'll be having a fun afternoon today... (and my VM updated all fine... le sigh)

[WanderingKnight]

Quote:

Tried updating to 8.10 (i386) through the update manager, and the update installation failed hard for me. Probably a Nvidia video driver bug in my case. I'm going to go back to 8.04, and will probably give 8.10 another try next year.

I found a similar problem (I'm guessing Xorg crashed hard on you when you first booted up)--you need to install the driver manually (nvidia-glx-177 is the name of the package).

Quote:

My system locale now seems to be a strange mix of Japanese, English and Slovak

I had a similar problem... my $LANGUAGE was set to Japanese by default, I have no idea why. I had to add

Code:

export LANGUAGE="en"

to my both ~/.bashrc and /root/.bashrc in order to set everything back, but some stuff was left over (file types, for example, are all in Japanese... I still haven't tried to fix that, I've had very little time).

We had the release party last night! 52 people came to the Buenos Aires meeting. I'll post some pictures soon enough.

[SeijiSensei]

I installed the beta of Kubuntu 8.10 on the desktop machine I'm using now and found a few flaws here and there. Installing the proprietary nVidia driver made the on-screen text microscopically sized. I needed to add an Options line to xorg.conf to make the text readable again.

OTOH, Intrepid had support for my Linksys 802.11g USB wifi device which failed to work under any versions of Fedora including, as I recall, the F10 release candidate. I like the look of KDE 4.1 better than 3.5+ as well, though I wish they'd hurry up and include the patch to enable auto-hiding of the panel. It's especially annoying with some tall dialog boxes that for some reason can't be resized (Thunderbird's address book entry screen is one). I can't see the buttons at the bottom of the dialog box.

Audio support seems a bit schizophrenic as well. Some apps like SMplayer are configured to use Pulse by default, others use ALSA. I've settled on ALSA since I don't need to share audio over the network. KDE's former standard, arts, doesn't appear well-supported at all. Perhaps it's been deprecated in KDE 4+ even though it appears as an option in application dialogs?

What was even more impressive was how well 8.10 (final) installed on my daughter's Inspiron 640m laptop. I no longer needed to install 915resolution to get the Intel graphics to display correctly. Even better was that I could configure NetworkManager to start the Intel wireless device after logging in. On the earlier version of Ubuntu she had (Feisty?), we'd always have to start the wireless device manually. On the down side, the wireless LED now flashes periodically which is extremely distracting. There's talk about this on the Ubuntu forums already because it's so annoying.

I do find the one-CD approach of Ubuntu a bit of a pain. I don't really understand why they don't distribute DVDs with all or most of the packages the way Fedora does. I'm constantly having to install things over the network like nfs-server or even Firefox and Thunderbird because they're not defaults with Kubuntu. The most obvious omission is openssh-server which is something I use every day on almost every Linux machine I manage.

I'm still wondering where some of the old KDE control panel items have disappeared to, especially things like power management. The kcontrol application doesn't even appear as an option in the Intrepid repositories any more (KDE4 change perhaps). I'm also going through the RH -> Debian transition needing to figure out how to designate which services start at boot for instance.

Still I might end up sticking with Ubuntu for a while after this release, at least on the desktop. I doubt I'll stop using CentOS on servers, though.

[grey_moon]

So far so good on my old siemens lappy, my asus f9e and its little brother the eeepc 901

A couple of graphical glitches with the icons in the notify widget and my network manager disapeared last night, but other then that it seems pretty stable. Maybe MS can learn something about subtle changes instead of their shock and awe tactic to drive up sales...

[WanderingKnight]

Quote:

KDE's former standard, arts, doesn't appear well-supported at all. Perhaps it's been deprecated in KDE 4+ even though it appears as an option in application dialogs?

That's weird... I heard arts was completely deprecated in KDE 4.

[martino]

If anyone might find this useful, there seems to be some bug when you install Intrepid over an existing installation (ie upgrade) with the NetworkManager where it keeps saying that the network is umanaged (in my case it was wireless, but seems like wired can get the same issue as well), or smt like that, open /etc/NetworkManager/nm-system-settings.conf for editing, and change "managed=false" to "managed=true" and restart. Hope it may be of help to some people...

Now, since I'm back on the internet, time to play with the language issue.


EDIT:
@WanderingKnight: Uninstall all the languages other than English and fixed. I haven't tried putting them back on to see what'd happen.